ApacheJMeter_core is vulnerable to remote code execution (RCE). The vulnerability exists due to a lack of client authentication when Apache JMeter is configured in a distributed mode, allowing an attacker to perform arbitrary deserialization of untrusted data which will lead to arbitrary code execution.